According to a recent report published by the Common Vulnerabilities and Exposures (CVE) project, flaws in Web software are among the most reported security issues so far this year. It's easy to see why. After all, hackers are known to search for an easy target. Poorly configured or written Web applications are not only an easy target, taking the attacker straight to their goal -- data, and lots of it -- but also can be used to spread malware to anyone else who visits the compromised site.
Sadly, the increase in such flawed applications indicates many developers, or the organizations that they work for, do not fully appreciate the environment in which their applications run or the languages used to create them.
An education issue?
"Easy to learn" scripting languages enable anyone with an eye for graphic design to develop and code powerful Web-based applications. Unfortunately, many developers only bother to learn the eye-catching features of a language and not the security issues that need to be addressed. Also, many of the introductory books on coding fail to discuss security. And, as a result, many of the same vulnerabilities that were problematic for developers several years ago remain a problem today. This is perhaps why cross-site scripting (XSS) is now the most common type of application layer attack, while buffer overflow vulnerabilities, the perennial No. 1, has dropped to fourth place. Two other Web application vulnerabilities, SQL injection and PHP remote file inclusion, take second and third spots.
Mitigating Web application flaws
Fortunately, many risks and remedies overlap. Fixing one problem will more than likely fix another. For example, let's look at some of my best practices for thwarting SQL injection attacks:
- Assume all data that the application handles is from an untrusted source.
- Validate all received data for type, length, format and range.
- Only process data that is deemed valid and reject everything else.
- Validate data using a trusted server or application.
- Use parameterized queries and stored procedures.
- Handle errors without divulging system information.
Now, implementing these recommendations will also help combat cross-site scripting attacks. One measure developers should adopt particularly to prevent XSS, is to encode input data. Encoding transforms potentially dangerous characters into their display equivalents by using character entity references. For example <script> becomes
<![CDATA[<script>.]]>For encoding to be effective, developers should explicitly fix the character set of every Web page. I would also implement a session expiry policy whereby users who don't interact with your site for a period of time are logged out. With this policy, any cookies are destroyed and not just left to expire.
The PHP remote file-inclusion vulnerability can also be tackled by checking user input combined with the file_exists() function. This function cannot check remote files, and this allows you to first verify whether an included file exists on your local file system.
As you can see, most vulnerabilities arise when user input is not properly checked. If you are in charge of Web development, ensure that all data is filtered, validated, and encoded before using it in your scripts, data access routines and SQL queries.
About the author:
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity.com's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
